Univention Bugzilla – Bug 53561
intel-microcode: Multiple issues (4.4)
Last modified: 2021-07-14 17:16:58 CEST
New Debian intel-microcode 3.20210608.2~deb9u2 fixes: This update addresses the following issues: * vt-d related privilege escalation (CVE-2020-24489) * improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * observable timing discrepancy in some Intel Processors (CVE-2020-24512) * information disclosure on some Intel Atom processors (CVE-2020-24513)
--- mirror/ftp/4.4/unmaintained/4.4-8/source/intel-microcode_3.20201118.1~deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/intel-microcode_3.20210608.2~deb9u2.dsc @@ -1,3 +1,102 @@ +3.20210608.2~deb9u2 [Fri, 09 Jul 2021 17:26:41 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * SECURITY UPDATE for LTS, with changes to avoid regressions + WARNING: missing the security update for processors with signature 0x906ea. + * Refer to the changelog entry for 3.20210608.1 for the list of security + fixes in this release. + * Downgrade the microcode update for processors with signature 0x906ea, to + avoid a confirmed regression on some CFL-H/S/E3 U0 "Core Gen8 Desktop, + Mobile, Xeon E" systems with Intel Wireless LAN on-board, refer to: + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56 + + sig 0x000906ea, pf_mask 0x22, 2020-05-25, rev 0x00de, size 103424 + * Reintroduces all fixes (including several security updates) to Skylake + D0/R0 that were temporarily disabled in past releases. Refer to changelog + entries since (and including) 3.20200609.1 for the list of security fixes. + * Note: 3.20210608.2~deb9u1 was never uploaded, but it was tagged in + salsa.d.o. To avoid any possible issues, deb9u2 was used for the upload. + +3.20210608.2 [Wed, 23 Jun 2021 13:42:19 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * Correct INTEL-SA-00442 CVE id to CVE-2020-24489 in changelog and + debian/changelog (3.20210608.1). + +3.20210608.1 [Tue, 08 Jun 2021 22:37:57 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode datafile 20210608 (closes: #989615) + * Implements mitigations for CVE-2020-24511 CVE-2020-24512 + (INTEL-SA-00464), information leakage through shared resources, + and timing discrepancy sidechannels + * Implements mitigations for CVE-2020-24513 (INTEL-SA-00465), + Domain-bypass transient execution vulnerability in some Intel Atom + Processors, affects Intel SGX. + * Implements mitigations for CVE-2020-24489 (INTEL-SA-00442), Intel + VT-d privilege escalation + * Fixes critical errata on several processors + * New Microcodes: + sig 0x00050655, pf_mask 0xb7, 2018-11-16, rev 0x3000010, size 47104 + sig 0x000606a5, pf_mask 0x87, 2021-03-08, rev 0xc0002f0, size 283648 + sig 0x000606a6, pf_mask 0x87, 2021-04-25, rev 0xd0002a0, size 283648 + sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 + sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 + sig 0x000806c1, pf_mask 0x80, 2021-03-31, rev 0x0088, size 109568 + sig 0x000806c2, pf_mask 0xc2, 2021-04-07, rev 0x0016, size 94208 + sig 0x000806d1, pf_mask 0xc2, 2021-04-23, rev 0x002c, size 99328 + sig 0x00090661, pf_mask 0x01, 2021-02-04, rev 0x0011, size 19456 + sig 0x000906c0, pf_mask 0x01, 2021-03-23, rev 0x001d, size 19456 + sig 0x000a0671, pf_mask 0x02, 2021-04-11, rev 0x0040, size 100352 + * Updated Microcodes: + sig 0x000306f2, pf_mask 0x6f, 2021-01-27, rev 0x0046, size 34816 + sig 0x000306f4, pf_mask 0x80, 2021-02-05, rev 0x0019, size 19456 + sig 0x000406e3, pf_mask 0xc0, 2021-01-25, rev 0x00ea, size 105472 + sig 0x000406f1, pf_mask 0xef, 2021-02-06, rev 0xb00003e, size 31744 + sig 0x00050653, pf_mask 0x97, 2021-03-08, rev 0x100015b, size 34816 + sig 0x00050654, pf_mask 0xb7, 2021-03-08, rev 0x2006b06, size 36864 + sig 0x00050656, pf_mask 0xbf, 2021-03-08, rev 0x4003102, size 30720 + sig 0x00050657, pf_mask 0xbf, 2021-03-08, rev 0x5003102, size 30720 + sig 0x0005065b, pf_mask 0xbf, 2021-04-23, rev 0x7002302, size 27648 + sig 0x00050663, pf_mask 0x10, 2021-02-04, rev 0x700001b, size 24576 + sig 0x00050664, pf_mask 0x10, 2021-02-04, rev 0xf000019, size 24576 + sig 0x00050665, pf_mask 0x10, 2021-02-04, rev 0xe000012, size 19456 + sig 0x000506c9, pf_mask 0x03, 2020-10-23, rev 0x0044, size 17408 + sig 0x000506ca, pf_mask 0x03, 2020-10-23, rev 0x0020, size 15360 + sig 0x000506e3, pf_mask 0x36, 2021-01-25, rev 0x00ea, size 105472 + sig 0x000506f1, pf_mask 0x01, 2020-10-23, rev 0x0034, size 11264 + sig 0x000706a1, pf_mask 0x01, 2020-10-23, rev 0x0036, size 74752 + sig 0x000706a8, pf_mask 0x01, 2020-10-23, rev 0x001a, size 75776 + sig 0x000706e5, pf_mask 0x80, 2020-11-01, rev 0x00a6, size 110592 + sig 0x000806a1, pf_mask 0x10, 2020-11-06, rev 0x002a, size 32768 + sig 0x000806e9, pf_mask 0x10, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000806e9, pf_mask 0xc0, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000806ea, pf_mask 0xc0, 2021-01-06, rev 0x00ea, size 103424 + sig 0x000806eb, pf_mask 0xd0, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000806ec, pf_mask 0x94, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000906e9, pf_mask 0x2a, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000906ea, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 102400 + sig 0x000906eb, pf_mask 0x02, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000906ec, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424 + sig 0x000906ed, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424 + sig 0x000a0652, pf_mask 0x20, 2021-02-07, rev 0x00ea, size 93184 + sig 0x000a0653, pf_mask 0x22, 2021-03-08, rev 0x00ea, size 94208 + sig 0x000a0655, pf_mask 0x22, 2021-03-08, rev 0x00ec, size 94208 + sig 0x000a0660, pf_mask 0x80, 2020-12-08, rev 0x00e8, size 94208 + sig 0x000a0661, pf_mask 0x80, 2021-02-07, rev 0x00ea, size 93184 + * source: update symlinks to reflect id of the latest release, 20210608 + +3.20210216.1 [Wed, 17 Feb 2021 11:26:06 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode datafile 20210216 + * Mitigates an issue on Skylake Server (H0/M0/U0), Xeon-D 21xx, + and Cascade Lake Server (B0/B1) when using an active JTAG + agent like In Target Probe (ITP), Direct Connect Interface + (DCI) or a Baseboard Management Controller (BMC) to take the + CPU JTAG/TAP out of reset and then returning it to reset. + * This issue is related to the INTEL-SA-00381 mitigation. + * Updated Microcodes: + sig 0x00050654, pf_mask 0xb7, 2020-12-31, rev 0x2006a0a, size 36864 + sig 0x00050656, pf_mask 0xbf, 2020-12-31, rev 0x4003006, size 53248 + sig 0x00050657, pf_mask 0xbf, 2020-12-31, rev 0x5003006, size 53248 + * source: update symlinks to reflect id of the latest release, 20210216 + 3.20201118.1~deb9u1 [Mon, 25 Jan 2021 11:29:27 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: * Rebuild for stretch LTS, with changes to avoid regressions <http://piuparts.knut.univention.de/4.4-8/#7777362445288471538>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] d630d3cda6 Bug #53561: intel-microcode 3.20210608.2~deb9u2 doc/errata/staging/intel-microcode.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x1009>